The Latest: Facebook says hackers could access some apps

FILE - In this March 29, 2018, file photo, the logo for Facebook appears on screens at the Nasdaq MarketSite in New York's Times Square. Facebook says it recently discovered a security breach affecting nearly 50 million user accounts.
The hack is the latest setback for Facebook during a year of tumult for the global social media service. In a blog post , Friday, Sept. 28, the company says hackers exploited its "View As" feature, which lets people see what their profiles look like to someone else (AP Photo/Richard Drew, File)

NEW YORK (AP) — The Latest on Facebook’s security breach (all times local): 6:15 p.m. Facebook says a hack affecting 50 million users could also have given attackers access to other apps. Facebook’s vice president…

NEW YORK (AP) — The Latest on Facebook’s security breach (all times local):

6:15 p.m.

Facebook says a hack affecting 50 million users could also have given attackers access to other apps.

Facebook’s vice president of product, Guy Rosen, says that attackers with access to a Facebook user’s account could also have accessed other apps if they had logged into them using their Facebook username and password.

A feature called Facebook Login allows people to use their Facebook credentials to sign into certain other apps and services.

Rosen wouldn’t say if there was any evidence that attackers misused access to those third party accounts. He says it could have affected apps tied to someone’s Facebook account, including Facebook’s own Instagram app — although not its WhatsApp messaging service.

He says affected users will now have to manually re-link those third party apps to their Facebook accounts.

___

6 p.m.

Facebook says its automated systems incorrectly marked two news articles, one from The Associated Press and one from The Guardian, as spam on Friday. The articles were both about a security breach that compromised 50 million Facebook accounts.

Facebook briefly did not allow users to post the stories, although similar articles from The New York Times and others were postable.

“We fixed the issue as soon as we were made aware of it,” Facebook says in a statement. “We apologize for the inconvenience.”

Facebook briefly blocked people from posting articles by The Associated Press and The Guardian about its security breach, announced Friday, which affected 50 million accounts. When users tried to post the articles, a notice popped up saying the article had triggered a filter for likely spam.

“Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam,” the notice said. “Please try a different post.”

Similar articles by The New York Times and other outlets were not blocked.

The company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Rosen says the bug somehow allowed a video uploader to appear for sending happy birthday messages. Another bug then created a log-in key that made Facebook think the hacker had legitimately signed in with the account being viewed.

Facebook says the investigation is continuing.

___

2 p.m.

One security expert says the hacking attack on Facebook is serious — but only Facebook knows how serious.

Jake Williams, the president of Rendition Infosec, says the log-in keys that hackers got on some 50 million user accounts would likely allow hackers to view private information and post on other people’s behalf. He says access could also extend to other Facebook apps, such as Messenger.

He says the bigger concern is whether this could affect third-party applications since so many people let other sites log them in with their Facebook credentials.

But he says the log-in keys, called access tokens, wouldn’t let hackers get the users’ actual passwords. Facebook is saying there’s no need for users to reset passwords.

Facebook executive Guy Rosen says hackers exploited three distinct bugs to access the accounts. He says hackers needed to not only steal log-in keys but know how to use them.

Facebook says hackers got those keys, called access tokens, through Facebook’s “View As” feature, which lets people see what their profiles look like to someone else. These tokens keep people logged in so they don’t have to re-enter passwords each time.

The company says it started investigating when it noticed increased user access to the service nearly two weeks ago. Facebook says the FBI has been notified in the U.S., as have Irish data protection officials for the European Union.

___

1:25 p.m.

Facebook CEO Mark Zuckerberg says the company doesn’t know yet whether hackers who had exploited a security vulnerability have misused any of the user account information.

He says there’s no evidence yet that hackers used the vulnerability to see other people’s private messages or posts or to post on those accounts. But Facebook says the investigation is continuing.

In a blog post, the company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Facebook says it has taken steps to fix the security problem and alerted law enforcement.

In a blog post, the company says hackers exploited its “View As” feature, which lets people see what their profiles look like to someone else. Facebook says it has taken steps to fix the security problem and alerted law enforcement.

To deal with the issue, Facebook reset some logins, so 90 million people have been logged out and will have to log in again. That includes anyone who has been subject to a “View As” lookup in the past year.

Facebook says it doesn’t know who’s behind the attacks or where they’re based.

The hack is the latest security headache for Facebook, which has been dealing with political disinformation campaigns from Russia and elsewhere since 2016.